hacked; user ID, e-mail, phone numbers stolen hacked; user ID, e-mail, phone numbers stolen

Summary: recently posted a PSA on their site notifying users that their database was illegally accessed and certain contact and account data were taken, "including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.

TOPICS: Malware
12 recently posted a PSA on their site notifying users that their database was illegally accessed and certain contact and account data were taken, "including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data."

The information accessed does not include resumes.

"Monster does not generally collect – and the accessed information does not include - sensitive data such as social security numbers or personal financial data."

Monster says they initiated an investigation and took corrective steps, and so far, have not detected misuse of the information.

The company also says users may soon be required to change your password upon logging onto the site, but when I logged in after reading the bulletin, I was not prompted to change my password in any way.

It must also be noted that as a registered user of the site, I was not e-mailed or notified by directly about the breach, and only found it doing my normal news-gathering rounds on the web. This is not exactly best business practice for a breach of this nature; it should be noted that Monster has a poor history of waiting before notifying users of its site of security risks.

Of course, with an exposed e-mail address at risk, beware of future "phishing" emails; also, avoid using the same passwords across multiple sites as a precaution for this type of breach.

UPDATE 1/27/09: Looks like the UK got hit for 4.5 million users, and no word on the other 35 countries Monster operates in.

Topic: Malware

Andrew Nusca

About Andrew Nusca

Andrew Nusca is a former writer-editor for ZDNet and contributor to CNET. During his tenure, he was the editor of SmartPlanet, ZDNet's sister site about innovation.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Monster Security

    fool me once shame on Monster, fool me twice shame on me...
  • RE: hacked; user ID, e-mail, phone numbers stolen

    Just yesterday I blogged about the same exact issue--the fact that failed to notify any of their customers/users is inexcusable.

    -Mike D
  • Big freaking deal

    You mean the website where I allow ANY prospective employer access to my email, phone number and address (through my resume) - was hacked and that info was stolen? Since I'm giving it away to strangers for free - why should I be concerned if it gets stolen?
    Roger Ramjet
    • It matters to some

      If you are lazy and use the same password at multiple sites. With your name, email and password can someone access your bank account? Can they log into your email account, reset your password then get all of your other accounts to email your passwords and user ids?

      A reminder to not be lazy. Use different passwords on every site.
    • With Caution

      Agreed, I use EVERY website with caution, never full name, usually using one initial for first or last name. I also use a PO Box and non-descript gmail. Never put references or any other specifics as to department or supervisors, purposely a little vague. Bottom line is that they would have to scam me direct and I'm waiting patiently, bwaaaaa haaaa haaaa haaaa! ;)
  • wrecking their own site

    It's bad enough that has working
    industriously to wreck the usefulness of their own site for
    finding work; now they've got hackers snagging personal
    private information that not even should
    have had.
  • RE: hacked; user ID, e-mail, phone numbers stolen

    Well, maybe it doesn't matter to some, but my info is up there and it matters to me! I haven't had a good hit from them since I signed up. Not one job!
    What also bothers me is the way that security seems to be implemented by those trusted with important information. At every level: government, companies and even the grocery stores. They would do a better job if it were 'their' information. I expect the same diligence from them with mine. Everyone is being hacked. Why? I don't know Bill Gates. Never met him. If I came on his property, I'd be arrested. My point is this: If someone is mad at Bill, take it out on Bill! I don't know the hacker and I don't know Bill. Why take my machine down? I might be working on the cure for cancer or maybe the answer to the oil problem. No one knows what the next guy is doing with his machine! I believe with my whole heart that the 'book' should be thrown at hackers. Give them some real time, like a dope dealer gets. Why? How much money do they cause to be lost (now there's something most will understand)? How many lives have they ruined? Where's the consequences and just what are the tech's doing to prevent it? Remember 'CRC?' Why not have the OS be locked with a CRC type program as a first line of defense (make it read only)? Rooting out bad code would be easier if that was done first, wouldn't it? If the present approach isn't working, change your path! Anyone understand what I'm saying?
    • Monster was the bomb back in 2005..

      I used to get tons of job offers, and I got many interviews too.

      But, you resume does matter; if you have a poorly designed and/or organized one, they won't bother with you.

      As far as site hacking, cr@p it seems like all the sites are getting hacked anymore! When is the FBI going to start doing something about this?

      As if the ecomomy weren't bad enough, we need to start shooting crackers up against the wall! Maybe the sight of that on the news will deter the scum bags; if not, it will sure make the public feel better for having suffered from it!
  • RE: hacked; user ID, e-mail, phone numbers stolen

    "Monster says they initiated an investigation and took corrective steps, and so far, have not detected misuse of the information."

    Oh yeah, right. Only misuse, they could possibly detect would be on there own site.

    "user ID, e-mail, phone numbers stolen"
    I use an alternate email address for just such a reason.
    I don't use the same ID/passwords/email for sites like monster that I do for my personal finance sites.
    Addresses and phone numbers are already available via, etc.

    Even if they got my resume, they would not get SSN as I don't provide that to anyone but an actual employer upon being hired.

    One company I applied to had the SSN as a required field to register and submit a resume. I promptly put all 9's as it's none of their business until they actually offer me job.

    I am not too worried, though I did change my password.

    I noticd that Monster placed a alert link about this on their website:

    "January 23, 2009

    Alert: An important security message from Monster. Click Here"

    under the FAQ:

    "[b]Are you contacting consumers directly?[/b]

    Monster elected not to send e-mail notifications to avoid the risk those e-mails would be used as a template for phishing e-mails targeting our job seekers and customers. We believe placing a security notice on our site is the safest and most effective way to reach the broadest audience. As an additional precaution, we will be making mandatory password changes on our site."

    I don't necessarily agree with that.

    I am a firm believer in White's Chappaquiddick Theorem: "The sooner and in more detail you announce bad news, the better."

    Monster should have sent me an e-mail. I shouldn't have had to find out about this on ZDnet.

    BNY Mellon sent me a letter in the mail and provided 2 years free Triple-Alert credit monitoring when some backup tapes came up missing, even though I had not done business with them for almost two years.
    • Re: hack

      I've gotten jobs, but not one from Monster. I told them last year they were hacked. They said I didn't know what I was talking about. Do you think they told me I was hacked? No! They don't have my social, at least from Monster, but who knows? I have 12 pages of passwords (both sides. I have to look at it to get on here. I'm not worried about Monster too much, but I agree that hackers (or proper term: crackers) should have something done to them. Right now, I only see a case every so often. As I said, I'd like to see more done and much more harsh. South Africa, Austraila, England, Liberia and Nigeria send me at least two scams a day, with more nations all the time. Interpol and the FBI say they don't have enough people or laws. They say ignore them. I say this doesn't work.
  • some link

    I'm "impressed" that a tech site like Ziff-Davis doesn't even know how to link to the original story. The link goes back to the latest published entry in the blog, NOT to the news item these comments discuss.

    And you wonder why security can't be done right?
    • HA! HA!...

      I never even checked the story - but you never know with ZDNet!